The French data regulator, CNIL has hit Google with a fine of 50 million euros for breaching the EU’s data protection rules, the first penalty for a U.S tech giant under the GDPR. It is one of the biggest regulatory enforcement actions since the GDPR came into force.
The record fine was levied by CNIL for Google’s “lack of transparency, inadequate information and lack of valid consent” regarding ads personalisation for users. CNIL said that people were “not sufficiently informed” about how Google had collected their data and had personalised advertising as a result.
The regulator said Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents”. The information about how and why a user’s data would be used was only accessible after taking several steps which sometimes took users up to five or six separate actions. The regulator stated that “users are not able to fully understand the extent of the processing operations carried out by Google”. The French regulator also found that Google’s description of why it’s processing the user’s data to be “described in a too generic and vague manner”.
CNIL found that Google had failed to obtain a valid legal basis to process user data. The option to personalise ads was “pre-ticked” when creating a user account which is a clear breach of the GDPR. The user gives their consent in full for all the processing operations purposes carried out by Google based on providing that consent (ads personalisation, speech recognition etc.). The GDPR provides that consent should be specific only and must be given by the user for each specific purpose.
Complaints against Google were filed in May 2018 by two separate privacy rights groups, NOYB and La Quadrature. The first complaint under the GDPR was filed on 25 May 2018, the day the legislation came into effect. The groups claimed that Google did not have a valid legal basis to process user data for ad personalisation, as required by the GDPR. The privacy campaign group NOYB said that it found that most of the biggest service providers did not do enough to comply with the GDPR. This wasn’t just found to be the case with Google; big names such as Amazon, Apple, and Spotify failed to comply with the regulations according to NOYB.
In a statement Google said that “people expect high standards of control and transparency from us”. Google said it was studying the decision to determine its next steps.
While this news shows that large corporations are not exempt from General Data Protection Regulations, and the consequences for breaching the regulations, it should also serve as a warning to smaller businesses that may feel they have amended the way they handle data sufficiently, while in fact they may be breaching GDPR through something as simple as vague descriptions of data processing.
For legal advice on your data protection policies, speak to Farleys’ GDPR specialists on 0845 287 0939 or complete our online contact form and one of the team will get in touch with you.